Network Working Group                                   Assar Westerlund
<draft-ietf-cat-krb5-tcp-00.txt>                                    SICS
Internet-Draft                                          Johan Danielsson
November, 1997                                                  PDC, KTH
Expire in six months

                           Kerberos over TCP

Status of this Memo

   This document is an Internet-Draft.  Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and its working groups.  Note that other groups may also distribute
   working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet- Drafts as reference
   material or to cite them other than as "work in progress."

   To view the entire list of current Internet-Drafts, please check the
   "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
   Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe),
   munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
   ftp.isi.edu (US West Coast).

   Distribution of this memo is unlimited.  Please send comments to the
   <cat-ietf@mit.edu> mailing list.

Abstract

   This document specifies how the communication should be done between
   a client and a KDC using Kerberos [RFC1510] with TCP as the transport
   protocol.

Specification

   This draft specifies an extension to section 8.2.1 of RFC1510.

   A Kerberos server MAY accept requests on TCP port 88 (decimal).

   The data sent from the client to the KDC should consist of 4 bytes
   containing the length, in network byte order, of the Kerberos
   request, followed by the request (AS-REQ or TGS-REQ) itself.  The
   reply from the KDC should consist of the length of the reply packet
   (4 bytes, network byte order) followed by the packet itself (AS-REP,
   TGS-REP, or KRB-ERROR).




Westerlund, Danielsson                                          [Page 1]

Internet Draft             Kerberos over TCP              November, 1997


   C->S: Open connection to TCP port 88 at the server
   C->S: length of request
   C->S: AS-REQ or TGS-REQ
   S->C: length of reply
   S->C: AS-REP, TGS-REP, or KRB-ERROR

Discussion

   Even though the preferred way of sending kerberos packets is over UDP
   there are several occasions when it's more practical to use TCP.

   Mainly, it's usually much less cumbersome to get TCP through
   firewalls than UDP.

   In theory, there's no reason for having explicit length fields, that
   information is already encoded in the ASN1 encoding of the Kerberos
   packets.  But having explicit lengths makes it unnecessary to have to
   decode the ASN.1 encoding just to know how much data has to be read.

   Another way of signaling the end of the request of the reply would be
   to do a half-close after the request and a full-close after the
   reply.  This does not work well with all kinds of firewalls.

Security considerations

   This memo does not introduce any known security considerations in
   addition to those mentioned in [RFC1510].

References

   [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network
   Authentication Service (V5)", RFC 1510, September 1993.

Authors' Addresses

   Assar Westerlund
   Swedish Institute of Computer Science
   Box 1263
   S-164 29  KISTA
   Sweden

   Phone: +46-8-7521526
   Fax:   +46-8-7517230
   EMail: assar@sics.se

   Johan Danielsson
   PDC, KTH
   S-100 44  STOCKHOLM



Westerlund, Danielsson                                          [Page 2]

Internet Draft             Kerberos over TCP              November, 1997


   Sweden

   Phone: +46-8-7907885
   Fax:   +46-8-247784
   EMail: joda@pdc.kth.se














































Westerlund, Danielsson                                          [Page 3]